Tuesday, December 15, 2020

AZ 303 Exam Notes

Exam AZ-303: Microsoft Azure Architect Technologieshttps://docs.microsoft.com/en-us/learn/certifications/exams/az-303 

Practice Test exam https://www.measureup.com/official-practice-test-az-303-microsoft-azure-architect-technologies.html 

Study Guidehttps://aka.ms/ESIStudyGuide_AZ-303

AZ-303 study guide, for the skills measured and link for all topics: https://aka.ms/ESIStudyGuide_AZ-303

Microsoft Azure Certification Pathshttps://docs.microsoft.com/en-us/learn/certifications/

An Azure Virtual Network allows you to communicate resources within the same Vnet, across different Vnets in Azure and for Hybrid connectivity to the on-premise, you can find the same terminology comparing than a physical network (ip addresses, subnetting, CIDR notation, network routing, etc). https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-overview

VNet Peering uses the backbone Microsoft network to connect 2 Vnets in the same region or in different regions (Global Vnet Peering), provides a quick configuration, better performance and good security, within the same or different tenants, can be interconnected with Azure VPN Gateways to allow transitivity and Used Defined Routes (UDRs) can be used to control the next hop traffic. https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview

An Azure Virtual Machine uses IaaS (Infrastructure as a Service), allows you to create a resource that runs on an Operating System (Windows or Linux based) to create your workloads, you are responsible for maintaining and operating the OS and its configuration, but not the infrastructure that is under the responsibility of the provider. https://docs.microsoft.com/en-us/azure/virtual-machines/

Your Azure VM has multiple components that in combination makes your VM to work properly, one of the core resources is the VM disk, you have multiple disk performances that uses HDDs or SSD drives, you can select different disk sizes and there are support for encryption at rest with SSE and ADE to encrypt your disk with Bitlocker for Windows and DM-crypt for Linux. https://docs.microsoft.com/en-us/azure/virtual-machines/managed-disks-overview

Azure VMs uses the IaaS deployment model that means that we are responsible for multiple layers, including to create our VMs in a High Availability, and HA option provides a SLA for your workload, but we need to create more than 1 VM for the same purpose under an LB solution to make sure that at least another instance is available for backing up our workload, the HA options are: -Using Premium SSD for all disks in a VM (99.9%) SLA. -Use an Availability Set in at least 2 Update Domains and 2 Fault Domains (99.95%). -Use Availability Zones (limited to few regions) (99.99%) SLA. https://docs.microsoft.com/en-us/azure/virtual-machines/availability

An Virtual Machine Scale set is a single resource that creates from 1 and up to hundreds or thousand computer with the same configuration, commonly used with an LB solution for the HA of your workload, as a difference with regular Azure VMs this resource supports horizontal scaling automatically based on rules, and scales out or in automatically as needed. https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/overview

ARM templates allows you to use configuration files to create resources, ARM uses JSON files that can be created from blank or take JSONs from existing resources or access a public ARM template repository to create one or multiple resources from a single file, you can create a library of templates to save yours. https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/overview

Here you can find the Azure Quickstart Templates public official repository to search for hundreds of existing templates that goes from creating a simple Windows or Linux VMs, to create a complete infrastructure for a multi-tier globally available project. https://azure.microsoft.com/en-us/resources/templates/

A runbook uses commands to automate frequent tasks in response to an alert or a known failure, you can create runbooks for azure resources or using an automation account and an agent deployment to extend to the on-premise https://docs.microsoft.com/en-us/azure/automation/automation-runbook-types

An Azure Storage Account is a resources that uses Platform as a Service Model (PaaS) as a difference with an Azure VM, we do not control an operating system, we only create a resource for the purpose of storing data with security that supports from one and up to 4 storage services (Blobs, Files, Tables and Queues), uses HDDs or SSD by selecting Standard or Premium storage performance and assigns by default an initial capacity of 500TB per storage account, your storage account creates an endpoint per service using a unique URL. https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview

Recommended storage service usage: -Blob Storage: media files, VHD storage, logs. -File Storage: migrate existing on-premise file shares to cloud using SMB protocol. -Queue Storage: to access using code to a service to share messages between applications. -Table Storage: to access to a structured storage trough applications to insert, list, read, delete data using an OData protocol and the ability to query the information.

The different types of storage services within a Storage account supports multiple authentication options, including using Access Keys, Shared Access Signatures, Azure AD Authentication, here you can find detailed information about a specific storage services and authentication supported. https://docs.microsoft.com/en-us/azure/storage/common/storage-auth

Role-Based Access Control (RBAC) is the role delegation model that azure uses to assign permissions to resources within your subscription, there are multiple built-in roles that target the most common roles, but you can create your custom roles, there are role inheritance based on a structure created with Management groups, Subscriptions, Resources groups and resources. https://docs.microsoft.com/en-us/azure/role-based-access-control/overview

With Azure Key Vault you can protect Passwords, Keys and Certificates, each have its own granular role delegation, a key vault is commonly used for the purpose of securely authenticate resources or applications by using this secure storage, preventing developers to save authentication information in code, developers only use SDKs and libraries to reference in code the URI of the key vault in combination with a Managed Service Account that automatically pulls the secret from the vault. https://docs.microsoft.com/en-us/azure/key-vault/

A Shared Access Signature is recommended to use for delegating temporary and permission controlled access, you can set an start time and expiration and you can specify the list of permissions to use with an SAS if SAS expires in no longer valid for authentication. https://docs.microsoft.com/en-us/rest/api/storageservices/delegate-access-with-shared-access-signature

Azure AD is the identity service used by any azure subscription, with this service you manage your directory (users, groups, devices, domains, policies, identity security features, etc.) https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis

Azure AD Identity Protection is a security service that monitors your users and automatically detect potential risks at sign in process, with cloud services protecting the users and the sign in process becomes critical. https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection

Self-Service Password Reset is commonly used to remove the operational request usually taken by administrator to reset the password of the users as a self-service adding security controls in the process by using multi-factor authentication https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-howitworks

A conditional access policy allows you to set one or multiple conditions using signals around the user to based on rules allow or block an access to a user that is not connected from a secure network, or trying to sign in from an unfamiliar location or insecure device. https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview

Multi-Factor Authentication adds multiple layers of authentication for the purpose of validate a user integrity continuously, a user will be prompted to configure a second factor of authentication in combination with his user/password by using a mobile for example to receive temporary codes that need to provide in the sign in process. https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks

To allow an external user to collaborate within your subscription, you can send an invitation via email, the user will receive an automatic email with the steps to follow, the user will be prompted to provide a MS related account to finally accept the invitation, once the invitation is accepted you can see the guest user in your directory and you can delegate a role. https://docs.microsoft.com/en-us/azure/active-directory/external-identities/b2b-quickstart-add-guest-users-portal

Azure AD Connect is an agent required to configure synchronization from your On premises AD DS to your Azure AD for the purpose of sync the required users to cloud and avoid creating users manually an make sure that the objects on both directories represents the same user. https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-whatis

Password Writeback complements the functionality of SSPR that is available in azure AD and allow the sync-back option to refresh the password in AD DS for the same user.

In Synchronized environments, SSO allows users to sign in to both environments without providing authentication multiple times, single authentication will be trusted in the other environment. https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/what-is-single-sign-on

Azure Security Center uses a combination of policies that follows standards (ISO, SOC, TSP, etc..) or your custom policies, to validate your security condition in your subscriptions, you will generate a security score and triggers automatic recommendations and alerts when you are not in compliance, those recommendations can help you to increase your score. https://docs.microsoft.com/en-us/azure/security-center/security-center-introduction

Azure Monitor is a service that uses 2 datastores (Activity Log and Metrics) to capture all your activities from your resources and users and also stores information about the performance of your resources, from that information, you can create alerts that triggers from conditions that you can customize or configure with an action group for automatic response. https://docs.microsoft.com/en-us/azure/azure-monitor/overview

Alerts configuration detailed information: https://docs.microsoft.com/en-us/azure/azure-monitor/platform/alerts-overview

A service that displays the status of the Azure services, that we can use for troubleshooting: https://docs.microsoft.com/en-us/azure/service-health/

With Azure Cost management you can track your one or multiple subscription, configure quotas, download bills, create forecast, etc. https://docs.microsoft.com/en-us/azure/cost-management-billing/cost-management-billing-overview

App Insights helps you to track the performance of an application, you can use it for applications that you host in azure (VMs, Web Apps and Containers) or applications that you host outside azure (on premise) or other clouds, you have access to a instrumentation key for the connection. https://docs.microsoft.com/en-us/azure/azure-monitor/app/app-insights-overview

Log Analytics Workspace is consider a deep infrastructure monitoring resource, its not an included services like the Azure Monitor, you need to create it as a resources and after creating it, you need to connect the sources (Azure VMs, other Azure resources) and computers in the on premise or other clouds, after you have the connected sources you can access the workspace to run queries in Kusto Query Language to correlate the logs and create your custom reports. https://docs.microsoft.com/en-us/azure/azure-monitor/log-query/log-analytics-tutorial

Azure Load Balancer can be integrated with IaaS VMs within the same region to create a HA workloads, the Azure LB uses a series of rules, backend pools, health probes to monitor the service response from the multiple instances backing up the same service and automatically sends the traffic to the health instances until others are available, it’s a regional LB. https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-overview

An Application Gateway can use a Web Application Firewall with a series of OWASP rules that protects from common threats, operates at the Layer 7 taking the OSI model of reference and uses a series of rules, listeners and backend pool to make the decision of the traffic and monitor the health of the services within the backend pool. https://docs.microsoft.com/en-us/azure/application-gateway/overview

Firewall main features: -Stateful Firewall as a Service resource. -Highly available. SLA (99.95%) in single availability zone or 99.99% in two or more availability zone. -Automatic scalability. -Uses a Public Static IP. -FQDN url filtering and Network rule configuration. Frequently Asked Questions for Firewall: https://docs.microsoft.com/en-us/azure/firewall/firewall-faq

Azure Front Door is another Global LB solutions that uses split TCP unicast for the global distribution, also supported different types of resources and Public IP´s in his backend host configuration, includes security with a Web Application Firewall https://docs.microsoft.com/en-us/azure/frontdoor/front-door-overview

If you wonder, What is the LB solution to use for my requirements?, you can take a look at this LB decision tree: https://docs.microsoft.com/en-us/azure/architecture/guide/technology-choices/load-balancing-overview

Traffic Manager is considered a Global LB solutions, under the TM profile we can include Azure VMs, App Services, Public Ips, TM uses DNS to identify the request source and supports different routing options to make the decision of sending the traffic to closest endpoint or better performant. https://docs.microsoft.com/en-us/azure/traffic-manager/traffic-manager-overview

Key information about NSG: -Free of charge. -Can be assigned to Subnets or Network Interface Cards. -Can work in combination with Azure Firewall and 3rd party FWs. -Can only be assigned to NIC or subnets within the same azure datacenter region. https://docs.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview

Important to understand the difference between NSG and ASG: An NSG creates access control rules with priority, port ranges, protocols, source, destination and actions (allow or deny) and an ASG it’s a resource that we can use to group IP´s in to an ASG that we can reference in a NSG on its source or destination to simplify the rule assignment, so NSG and ASG work together. https://docs.microsoft.com/en-us/azure/virtual-network/application-security-groups

Important to understand the difference between NSG and ASG: An NSG creates access control rules with priority, port ranges, protocols, source, destination and actions (allow or deny) and an ASG it’s a resource that we can use to group IP´s in to an ASG that we can reference in a NSG on its source or destination to simplify the rule assignment, so NSG and ASG work together. https://docs.microsoft.com/en-us/azure/virtual-network/application-security-groups

Azure Bastion is another security feature, enables a Subnet within a Virtual Network to accept secure remote connections to Windows or Linux VMs using all the time only private ip addresses, the remote connection runs on a modern update support browser, no need for remote clients. https://docs.microsoft.com/en-us/azure/bastion/bastion-overview

Azure Migration is a project that you can create in your subscription to collect data from your on premises workloads for the purpose of evaluate the actual performance and create reports that will help you in the process of create a discovery and assessment process, the migration process and post migration guidance. https://docs.microsoft.com/en-us/azure/migrate/migrate-services-overview

Azure Backup is a backup as a service resource, that you can use to protect VMs, File shares or On premises workloads, the Backup Services uses a Backup agent that computers in azure and outside requires to configure, the Backup Vault uses a unique endpoint that every computer can resolve an connect security with a password file, once the agent is sync with the Backup Vault you can control the backup and restore operations from the Cloud service. https://docs.microsoft.com/en-us/azure/backup/backup-overview

Update Management in Azure is the equivalent WSUS services that runs in the cloud, your subscription requires an automation account and a log analytics workspace to manage the updates to your VMs. https://docs.microsoft.com/en-us/azure/automation/update-management/overview

Desired State Configuration allows you to automate the process of configuring a VM and achieve the consistency in the state of the computer, files, services, software, etc. https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/dsc-overview

Azure Governance is a combination of services and policies configurations and best practices to manage your subscriptions and control what users can o can´t perform based on your custom rules, some of the components for Governance are: -Management Groups -Azure Policy -Azure Blueprints -resource Graph https://docs.microsoft.com/en-us/azure/governance/

Access Review is commonly used to help you to make sure that "the right users has the right access" : https://docs.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview

An Azure policy is used to have control and consistency in your subscription for example, controlling to create azure resources in a specific azure datacenter region, apply name conventions to users, apply an effect to your policy that can be deny some deployment that is not compliant. https://docs.microsoft.com/en-us/azure/governance/policy/overview

With an Azure Blueprint we can re-create complete environments, a Blueprint is a package of JSON templates that represents resources configurations, Policies and Initiatives and Role delegation for users. https://docs.microsoft.com/en-us/azure/governance/blueprints/overview

Application Management with Azure AD, you can use it to outsource Azure AD and other populer Identity Service Providers to configure your custom apps with modern authentication: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/what-is-application-management

A Managed Service Identity is a special type of account that developers can use to perform automatic actions like pulling secrets from an Azure Key Vault, the MSI can be delegated with a specific permission. https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview

With Azure Key Vault you can protect Passwords, Keys and Certificates, each have its own granular role delegation, a key vault is commonly used for the purpose of securely authenticate resources or applications by using this secure storage, preventing developers to save authentication information in code, developers only use SDKs and libraries to reference in code the URI of the key vault in combination with a Managed Service Account that automatically pulls the secret from the vault. https://docs.microsoft.com/en-us/azure/key-vault/

An azure app service is a Platform as a Service (PaaS) service designed to run applications without the overhead of configuring, maintaining, and fixing a computer and its OS, developers have options to deploy to multiple frameworks and they can focus in the application, not in the infrastructure, support autoscaling, DevOps integration, Backup, SSL certificates, authentication options. https://docs.microsoft.com/en-us/azure/app-service/

App Service Plan is a resources that represents the compute for an App service, an App service plan can be used by more than one App Service at the same time considering the potential performance issue because the Plan has limited resources, is the representation of a VM size. https://docs.microsoft.com/en-us/azure/app-service/overview-hosting-plans

Azure Container Registry is a resource to store containerized applications, azure supports multiple options for running apps in container technologies, the images requires a registry services to host, maintain and pull the images from the container services. https://docs.microsoft.com/en-us/azure/container-registry/

A Logic App is another “serverless app” that allows you to create flows using 1 or multiple connectors, connector represents APIs from azure services or 3rd party services, you can extend the scope of a logic app to other clouds or the on premise, you have access to a designer to create your flows, no skills needed for coding. https://docs.microsoft.com/en-us/azure/logic-apps/

An azure function app is part of the azure “serverless apps” offering, works in the same App Service model with the difference that the function app can react on events, events can be other services or applications conditions or alerts, with a function app you can dynamically use compute to perform operations only reacting to an event, commonly used to automate processes without using virtual machines. https://azure.microsoft.com/en-us/blog/introducing-azure-functions/

Azure Kubernetes service (AKS) is a cluster technology designed to orchestrate multiple applications within a central cluster resource, supports for CI/CD pipelines integration, native security by using Node Isolation between apps, there is no need to manage and operate VMs with an AKS, that administration is taken care by the provider. https://docs.microsoft.com/en-us/azure/aks/

Azure Container Instance (ACI) is a resource to run containerized applications, there is no need to create or manage computers, you simply create an ACI instance, select it to run Windows or Linux as the OS reference, you reference the image that you want to pull from a registry that can be a Public or Private Container registry repository or using the ACR. https://docs.microsoft.com/en-us/azure/container-instances/

Azure Table storage is available from the General Purpose v1 and v2 storage account, provides you a NoSQL datastore to be accessed by Http/Https protocols and OData queries. https://docs.microsoft.com/en-us/azure/cosmos-db/table-storage-overview

Azure Cosmos DB is a NoSQL and globally turn-key distributed database supports multiple APIs for existing DB migrations and models like, Gremling, Cassandra, Mongo, SQL and Table APIs, supports up to five consistency levels for the global distribution and replicas consistency that goes from the loosest to the strongest. https://docs.microsoft.com/en-us/azure/cosmos-db/introduction

Azure SQL database is a PaaS service that allows you to host and manage relational databases without the need to configure and maintain a SQL server instance, supports security by using a SQL defender, Auditing and Vulnerability Assessment, Azure AD Authentication can be used, TDE encryption and Always Encryption support, Dynamic data masking, you can use it to migrate existing DBs or create new ones. https://docs.microsoft.com/en-us/azure/azure-sql/

8 comments:

donaldfackler said...

It was a difficult task to pass the AZ-303 exam but PassitCertify gave me not only the material but guided me throughout my preparation. By taking help from AZ-303 Questions I have passed my certification. Now if I go for the next IT certification I will choose AZ-303 dumps for the same results.
Download Free Demo: https://www.passitcertify.com/microsoft/az-303-questions.html

PDF and Software said...

Download the BCS CISMP-V9 Q&A PDF file easily to prepare BCS Foundation Certificate in Information Security Management Principles V9.0 Exam. It is particularly designed for BCS CISMP-V9 exam and our BCS specialists have created this CISMP-V9 Question Dumps observing the original CISMP-V9 exam. related post https://www.morganrichardson.co.uk/takeaway-insurance/take-away/

Prepare4test said...

Prepare for BCS BH0-005 exam with our preparation material with full confidence. We offer you 100% real ISEB Certificate in Software Asset Management Essentials BCS BH0-005 exam dumps for your better results. Prepare4Test’s BH0-005 pdf dumps are verified by BCS Gurus. Related https://accountingworks.co.za/sageone-logo/

Roger Kin said...


Most of the Microsoft AZ-303 test students work hard to get the credibility and integrity among their fellows and boss. The Azure Solutions Architect Expert exam is vital for the professionals in IT field. For getting expertise in Microsoft AZ-303 test questions are significant. The scope of this Microsoft exam certification is wide for IT experts. They get enough material for preparation of the Microsoft Azure Solutions Architect Expert test for Microsoft exam certified with the help of the Microsoft AZ-303 braindumps. By using these AZ-303 test dumps they get enough skills to appear in the Azure Solutions Architect Expert test. Microsoft exam certifications has a sound name across the global IT market. So if you plan to get AZ-303 exam training material, this can make you a known Azure Solutions Architect Expert test specialist around the globe. In order to apply for and become IT specialist with Microsoft certification you have to professional experience.

olivia-james said...

I can’t explain my happiness for my success in AZ-303. AZ-303 Dumps questions has made the preparation a lot easier for the students by providing such suitable material. All the questions have been answered very competently and concisely by the experts who know the nature of the exam well. The experts supported and guided me throughout the preparation till the finals. I appreciate the efforts done by PassExam4Sure for leading so many candidates toward success.

GetBrainDumps said...

The questions have all been addressed in a clear and simple manner by specialists who are familiar with the exam's format. From my initial preparations through the finals, I had the full backing and guidance of the specialists.

GetBrainDumps said...

Experts who are familiar with the exam's format have provided clear and simple solutions
to all of the questions.

GetBrainDumps said...

he scope of this Microsoft exam certification is wide for IT experts. They get enough material for preparation of the Microsoft Azure Solutions Architect Expert test for Microsoft exam certified with the help of the Microsoft AZ-303 braindumps. getbraindumps.